From 0ef5872cee83f07c9ae7afceb2e92257507dc3ca Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Fri, 20 Apr 2018 03:27:37 +0000
Subject: disallow "\t" and "\n" in OVER headers

For Subject/To/Cc/From headers, we squeeze them to a space (' ').

For Message-IDs (including References/In-Reply-To), '\t', '\n', '\r'
are deleted since some MUAs might screw them up:

  https://public-inbox.org/git/656C30A1EFC89F6B2082D9B6@localhost/raw
---
 lib/PublicInbox/MID.pm       | 1 +
 lib/PublicInbox/SearchMsg.pm | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/PublicInbox')

diff --git a/lib/PublicInbox/MID.pm b/lib/PublicInbox/MID.pm
index c82e8401..cd56f272 100644
--- a/lib/PublicInbox/MID.pm
+++ b/lib/PublicInbox/MID.pm
@@ -87,6 +87,7 @@ sub uniq_mids ($) {
 	my @ret;
 	my %seen;
 	foreach my $mid (@$mids) {
+		$mid =~ tr/\n\t\r//d;
 		if (length($mid) > MAX_MID_SIZE) {
 			warn "Message-ID: <$mid> too long, truncating\n";
 			$mid = substr($mid, 0, MAX_MID_SIZE);
diff --git a/lib/PublicInbox/SearchMsg.pm b/lib/PublicInbox/SearchMsg.pm
index ab971e00..c7787ea1 100644
--- a/lib/PublicInbox/SearchMsg.pm
+++ b/lib/PublicInbox/SearchMsg.pm
@@ -100,7 +100,7 @@ sub __hdr ($$) {
 	my $mime = $self->{mime} or return;
 	$val = $mime->header($field);
 	$val = '' unless defined $val;
-	$val =~ tr/\n/ /;
+	$val =~ tr/\t\n/  /;
 	$val =~ tr/\r//d;
 	$self->{$field} = $val;
 }
-- 
cgit v1.2.3-24-ge0c7